IT managers aren't likely to confront dead bodies on the job, but a rudimentary knowledge of evidence, as it relates to computer data, can help protect your organization's operations, data and processes. In today's computer-driven world, where networked e-mail and instant messaging are the communication norms, knowing how to collect, handle and analyze information on a miscreant's computers can be critical to a successful civil or criminal prosecution.

There are two categories of computer crime: criminal activity that involves using a computer to commit a crime, and criminal activity that has a computer as a target, such as a network intrusion or a denial-of-service attack. The same means of gathering evidence are used to solve both types of crimes. And the same kinds of skills used by the lawbreakers are needed to track them down.

It Takes an Expert

Computer forensics is not a task to be undertaken lightly by just any IT worker. Instead, it calls for specialized skills and careful, documented procedures. A forensics expert knows what signs to look for and can identify additional information sources for relevant evidence, including earlier versions of data files or differently formatted versions of data used by other applications.

Computer data is fundamentally different in some respects from other types of information, and this affects how we have to handle it as evidence. Unlike a traditional paper trail, computer evidence frequently exists in many forms, and often different versions of documents are accessible on a computer disk or backup tapes. Data stored on a computer or network is difficult to destroy completely, because the data is likely to coexist on multiple hard drives, and deleted files and even reformatted disks can often be fully recovered. In addition, computer data can be replicated exactly for special analysis and processing without destroying the originals.